@@ -41,6 +41,12 @@ define_property(TARGET
4141 BRIEF_DOCS "AES key for encrypting"
4242 FULL_DOCS "AES key for encrypting"
4343)
44+ define_property (TARGET
45+ PROPERTY PICOTOOL_IVFILE
46+ INHERITED
47+ BRIEF_DOCS "IV OTP salt for encrypting"
48+ FULL_DOCS "IV OTP salt for encrypting"
49+ )
4450define_property (TARGET
4551 PROPERTY PICOTOOL_EMBED_DECRYPTION
4652 INHERITED
@@ -392,24 +398,29 @@ function(pico_embed_pt_in_binary TARGET PTFILE)
392398 )
393399endfunction ()
394400
395- # pico_encrypt_binary(TARGET AESFILE [SIGFILE <file>] [EMBED] [OTP_KEY_PAGE <page>])
401+ # pico_encrypt_binary(TARGET AESFILE IVFILE [SIGFILE <file>] [EMBED] [OTP_KEY_PAGE <page>])
396402# Encrypt the target binary with the given AES key (should be a binary
397403# file containing 128 bytes of a random key), and sign the encrypted binary.
398- # This sets PICOTOOL_AESFILE to AESFILE, and PICOTOOL_ENC_SIGFILE to SIGFILE
399- # if present, else PICOTOOL_SIGFILE.
404+ # Salts the public IV with the provided IVFILE (should be a binary file
405+ # containing 16 bytes of a random IV), to give the IV used by the encryption.
406+ # This sets PICOTOOL_AESFILE to AESFILE, PICOTOOL_IVFILE to IVFILE, and
407+ # PICOTOOL_ENC_SIGFILE to SIGFILE if specified, else PICOTOOL_SIGFILE.
400408# Optionally, use EMBED to embed a decryption stage into the encrypted binary.
401409# This sets PICOTOOL_EMBED_DECRYPTION to TRUE.
402410# Optionally, use OTP_KEY_PAGE to specify the OTP page storing the AES key.
403411# This sets PICOTOOL_OTP_KEY_PAGE to OTP_KEY_PAGE.
404- function (pico_encrypt_binary TARGET AESFILE)
412+ function (pico_encrypt_binary TARGET AESFILE IVFILE )
405413 set (options EMBED)
406414 set (oneValueArgs OTP_KEY_PAGE SIGFILE)
407415 # set(multiValueArgs )
408- cmake_parse_arguments (PARSE_ARGV 2 ENC "${options} " "${oneValueArgs} " "${multiValueArgs} " )
416+ cmake_parse_arguments (PARSE_ARGV 3 ENC "${options} " "${oneValueArgs} " "${multiValueArgs} " )
409417 picotool_check_configurable(${TARGET} )
410418 set_target_properties (${TARGET} PROPERTIES
411419 PICOTOOL_AESFILE ${AESFILE}
412420 )
421+ set_target_properties (${TARGET} PROPERTIES
422+ PICOTOOL_IVFILE ${IVFILE}
423+ )
413424
414425 if (ENC_EMBED)
415426 set_target_properties (${TARGET} PROPERTIES
@@ -540,6 +551,10 @@ function(picotool_postprocess_binary TARGET)
540551 if (picotool_aesfile)
541552 pico_add_link_depend(${TARGET} ${picotool_aesfile} )
542553 endif ()
554+ get_target_property (picotool_ivfile ${TARGET} PICOTOOL_IVFILE)
555+ if (picotool_ivfile)
556+ pico_add_link_depend(${TARGET} ${picotool_ivfile} )
557+ endif ()
543558 get_target_property (picotool_enc_sigfile ${TARGET} PICOTOOL_ENC_SIGFILE)
544559 if (picotool_enc_sigfile)
545560 pico_add_link_depend(${TARGET} ${picotool_enc_sigfile} )
@@ -579,7 +594,7 @@ function(picotool_postprocess_binary TARGET)
579594 VERBATIM )
580595 endif ()
581596 # Encryption
582- if (picotool_aesfile)
597+ if (picotool_aesfile AND picotool_ivfile )
583598 get_target_property (picotool_embed_decryption ${TARGET} PICOTOOL_EMBED_DECRYPTION)
584599 if (picotool_embed_decryption)
585600 list (APPEND picotool_encrypt_args "--embed" )
@@ -591,13 +606,13 @@ function(picotool_postprocess_binary TARGET)
591606 endif ()
592607
593608 add_custom_command (TARGET ${TARGET} POST_BUILD
594- DEPENDS ${picotool_enc_sigfile} ${picotool_aesfile}
609+ DEPENDS ${picotool_enc_sigfile} ${picotool_aesfile} ${picotool_ivfile}
595610 COMMAND picotool
596611 ARGS encrypt
597612 --quiet --hash --sign
598613 ${picotool_encrypt_args}
599614 $<TARGET_FILE:${TARGET} > $<TARGET_FILE:${TARGET} >
600- ${picotool_aesfile} ${picotool_enc_sigfile} ${otp_file}
615+ ${picotool_aesfile} ${picotool_ivfile} ${ picotool_enc_sigfile}${otp_file}
601616 COMMAND_EXPAND_LISTS
602617 VERBATIM )
603618 if (ARGC EQUAL 2)
0 commit comments